On 13/06/18 09:52, Juergen Gross wrote:
> On 12/06/18 17:58, Juergen Gross wrote:
>> On 08/06/18 12:12, Juergen Gross wrote:
>>> On 07/06/18 13:30, Juergen Gross wrote:
>>>> On 06/06/18 11:40, Juergen Gross wrote:
>>>>> On 06/06/18 11:35, Jan Beulich wrote:
>>>>>>>>> On 05.06.18 at 18:19, <ian.jack...@citrix.com> wrote:
>>>>>>>>> test-amd64-i386-libvirt-qemuu-debianhvm-amd64-xsm 14
>>>>>>>>> guest-saverestore.2
>>>>>>> I thought I would reply again with the key point from my earlier mail
>>>>>>> highlighted, and go a bit further. The first thing to go wrong in
>>>>>>> this was:
>>>>>>>
>>>>>>> 2018-05-30 22:12:49.320+0000: xc: Failed to get types for pfn batch (14
>>>>>>> = Bad address): Internal error
>>>>>>> 2018-05-30 22:12:49.483+0000: xc: Save failed (14 = Bad address):
>>>>>>> Internal error
>>>>>>> 2018-05-30 22:12:49.648+0000: libxl-save-helper: complete r=-1: Bad
>>>>>>> address
>>>>>>>
>>>>>>> You can see similar messages in the other logfile:
>>>>>>>
>>>>>>> 2018-05-30 22:12:49.650+0000: libxl:
>>>>>>> libxl_stream_write.c:350:libxl__xc_domain_save_done: Domain 3:saving
>>>>>>> domain: domain responded to suspend request: Bad address
>>>>>>>
>>>>>>> All of these are reports of the same thing: xc_get_pfn_type_batch at
>>>>>>> xc_sr_save.c:133 failed with EFAULT. I'm afraid I don't know why.
>>>>>>>
>>>>>>> There is no corresponding message in the host's serial log nor the
>>>>>>> dom0 kernel log.
>>>>>> I vaguely recall from the time when I had looked at the similar Windows
>>>>>> migration issues that the guest is already in the process of being
>>>>>> cleaned
>>>>>> up when these occur. Commit 2dbe9c3cd2 ("x86/mm: silence a pointless
>>>>>> warning") intentionally suppressed a log message here, and the
>>>>>> immediately following debugging code (933f966bcd x86/mm: add
>>>>>> temporary debugging code to get_page_from_gfn_p2m()) was reverted
>>>>>> a little over a month later. This wasn't as a follow-up to another patch
>>>>>> (fix), but following the discussion rooted at
>>>>>> https://lists.xenproject.org/archives/html/xen-devel/2017-06/msg00324.html
>>>>> That was -ESRCH, not -EFAULT.
>>>> I've looked a little bit more into this.
>>>>
>>>> As we are seeing EFAULT being returned by the hypervisor this either
>>>> means the tools are specifying an invalid address (quite unlikely)
>>>> or the buffers are not as MAP_LOCKED as we wish them to be.
>>>>
>>>> Is there a way to see whether the host was experiencing some memory
>>>> shortage, so the buffers might have been swapped out?
>>>>
>>>> man mmap tells me: "This implementation will try to populate (prefault)
>>>> the whole range but the mmap call doesn't fail with ENOMEM if this
>>>> fails. Therefore major faults might happen later on."
>>>>
>>>> And: "One should use mmap(2) plus mlock(2) when major faults are not
>>>> acceptable after the initialization of the mapping."
>>>>
>>>> With osdep_alloc_pages() in tools/libs/call/linux.c touching all the
>>>> hypercall buffer pages before doing the hypercall I'm not sure this
>>>> could be an issue.
>>>>
>>>> Any thoughts on that?
>>> Ian, is there a chance to dedicate a machine to a specific test trying
>>> to reproduce the problem? In case we manage to get this failure in a
>>> reasonable time frame I guess the most promising approach would be to
>>> use a test hypervisor producing more debug data. If you think this is
>>> worth doing I can write a patch.
>> Trying to reproduce the problem in a limited test environment finally
>> worked: doing a loop of "xl save -c" produced the problem after 198
>> iterations.
>>
>> I have asked a SUSE engineer doing kernel memory management if he
>> could think of something. His idea is that maybe some kthread could be
>> the reason for our problem, e.g. trying page migration or compaction
>> (at least on the test machine I've looked at compaction of mlocked
>> pages is allowed: /proc/sys/vm/compact_unevictable_allowed is 1).
>>
>> In order to be really sure nothing in the kernel can temporarily
>> switch hypercall buffer pages read-only or invalid for the hypervisor
>> we'll have to modify the privcmd driver interface: it will have to
>> gain knowledge which pages are handed over to the hypervisor as buffers
>> in order to be able to lock them accordingly via get_user_pages().
>>
>> While this is a possible explanation of the fault we are seeing it might
>> be related to another reason. So I'm going to apply some modifications
>> to the hypervisor to get some more diagnostics in order to verify the
>> suspected kernel behavior is really the reason for the hypervisor to
>> return EFAULT.
> I was lucky. Took only 39 iterations this time.
>
> The debug data confirms the theory that the kernel is setting the PTE to
> invalid or read only for a short amount of time:
>
> (XEN) fixup for address 00007ffb9904fe44, error_code 0002:
> (XEN) Pagetable walk from 00007ffb9904fe44:
> (XEN) L4[0x0ff] = 0000000458da6067 0000000000019190
> (XEN) L3[0x1ee] = 0000000457d26067 0000000000018210
> (XEN) L2[0x0c8] = 0000000445ab3067 0000000000006083
> (XEN) L1[0x04f] = 8000000458cdc107 000000000001925a
> (XEN) Xen call trace:
> (XEN) [<ffff82d0802abe31>] __copy_to_user_ll+0x27/0x30
> (XEN) [<ffff82d080272edb>] arch_do_domctl+0x5a8/0x2648
> (XEN) [<ffff82d080206d5d>] do_domctl+0x18fb/0x1c4e
> (XEN) [<ffff82d08036d1ba>] pv_hypercall+0x1f4/0x43e
> (XEN) [<ffff82d0803734a6>] lstar_enter+0x116/0x120
>
> The page was writable again when the page walk data has been collected,
> but A and D bits still are 0 (which should not be the case in case the
> kernel didn't touch the PTE, as the hypervisor read from that page some
> instructions before the failed write).
>
> Starting with the Xen patches now...
Given that walk, I'd expect the spurious pagefault logic to have kicked
in, and retried.
Presumably the spurious walk logic saw the non-present/read-only mappings?
~Andrew
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
